Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. User Accessed Suspicious URL Categories

User Accessed Suspicious URL Categories

Back
Idfb0f4a93-d8ad-4b54-9931-85bdb7550f90
RulenameUser Accessed Suspicious URL Categories
DescriptionCreates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.
SeverityMedium
TacticsInitialAccess
CommandAndControl
TechniquesT1566
T1071
Required data connectorsSyslogAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SymantecProxySG/Analytic Rules/UserAccessedSuspiciousURLCategories.yaml
Version1.0.5
Arm templatefb0f4a93-d8ad-4b54-9931-85bdb7550f90.json
Deploy To Azure
SymantecProxySG
| mv-expand cs_categories
| where cs_categories has_any ("Suspicious","phishing", "hacking")
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer,  tostring(cs_categories)

id: fb0f4a93-d8ad-4b54-9931-85bdb7550f90
tactics:
- InitialAccess
- CommandAndControl
queryPeriod: 1h
triggerThreshold: 0
name: User Accessed Suspicious URL Categories
query: |
  SymantecProxySG
  | mv-expand cs_categories
  | where cs_categories has_any ("Suspicious","phishing", "hacking")
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer,  tostring(cs_categories)  
severity: Medium
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1566
- T1071
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SymantecProxySG/Analytic Rules/UserAccessedSuspiciousURLCategories.yaml
queryFrequency: 1h
requiredDataConnectors:
- connectorId: SyslogAma
  datatypes:
  - Syslog
description: |
    'Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.'
status: Available
version: 1.0.5
entityMappings:
- fieldMappings:
  - columnName: cs_userdn
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: Computer
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: c_ip
    identifier: Address
  entityType: IP

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fb0f4a93-d8ad-4b54-9931-85bdb7550f90')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fb0f4a93-d8ad-4b54-9931-85bdb7550f90')]",
      "properties": {
        "alertRuleTemplateName": "fb0f4a93-d8ad-4b54-9931-85bdb7550f90",
        "customDetails": null,
        "description": "'Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.'\n",
        "displayName": "User Accessed Suspicious URL Categories",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "cs_userdn",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "c_ip",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SymantecProxySG/Analytic Rules/UserAccessedSuspiciousURLCategories.yaml",
        "query": "SymantecProxySG\n| mv-expand cs_categories\n| where cs_categories has_any (\"Suspicious\",\"phishing\", \"hacking\")\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer,  tostring(cs_categories)\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "InitialAccess"
        ],
        "techniques": [
          "T1071",
          "T1566"
        ],
        "templateVersion": "1.0.5",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}